b'                                            July 18, 1997\n\nMEMORANDUM\n\nSUBJECT:       Final Report: Security of Small Purchase Electronic Data\n               Interchange (SPEDI) Local Area Networks (LANs)\n               Audit Report No. E1AMR7-15-7012-7100307\n\nFROM:          Patricia H. Hill, Director\n               ADP Audits and Assistance Staff (2421)\n\nTO:            Paul A. Wohlleben, Director\n               Office of Information Resources Management (3401)\n\n               Betty L. Bailey, Director\n               Office of Acquisition Management (3801F)\n\n               Mark Luttner, Acting Deputy Director\n               Office of Planning, Analysis, and Accountability (2721)\n\n\n        Attached is our final report entitled \xe2\x80\x9cSecurity of Small Purchase Electronic Data\nInterchange (SPEDI) Local Area Networks (LANs).\xe2\x80\x9d The primary objectives of the audit were\nto: 1) survey the production SPEDI sites to verify the adequacy of security policy, controls, and\ndocumentation for the SPEDI application and the LANs where it is processed; and 2) to verify\nboth physical and logical security controls at the SPEDI Headquarters site. This report represents\nthe opinion of the Office of Inspector General (OIG) and describes problems and recommended\ncorrective actions the OIG has identified.\n\n        In accordance with EPA Order 2750, you, as action officials, are required to provide this\noffice a written response to the report within 90 days of the final report date. If corrective actions\nwill not be complete by the response date, we ask that you describe the actions that are ongoing\nand provide a timetable for completions. In addition, please track all action plans and milestone\ndates in the Management Audit Tracking System.\n\n       We appreciate your many comments to the recommendations presented in the report and\nthe many actions you and your staffs have already initiated to address issues concerning the\n\x0c                                                 2\n\nsecurity of the SPEDI application and its LANs. We have no objection to the further release of\nthis report to the public. Should you or your staff have any questions regarding this report, please\ncontact Jim Rothwell, ADP Team Leader, ADP Audits and Assistance Staff, at\n(202) 260-1785.\n\nAttachment\n\x0c       Office of Inspector General\n       Report of Audit\n\n\n\n\n    SECURITY OF SMALL PURCHASE\nELECTRONIC DATA INTERCHANGE (SPEDI)\n    LOCAL AREA NETWORKS (LANs)\n\n                  JULY 18, 1997\n\n      Audit Report E1AMR7-15-7012-7100307\n\x0cInspector General Division\n  Conducting the Audit:      ADP Audits and Assistance Staff\n\nRegion(s) Covered:           Regions 1 through 10\n                             Headquarters\n\nProgram Offices Involved:    Office of Acquisition Management\n                             Office of Planning, Analysis, and Accountability\n                              (part of OCFO)\n                             Office of Information Resources Management\n\x0c                                                 Security of SPEDI Local Area Networks (LANs)\n\n\n          SPEDI SECURITY CONTROLS NEED IMPROVEMENT\n\n\nRESULTS IN BRIEF\n\nSurvey results revealed that security controls need improvement at all of the responding production\nSPEDI site. The survey also indicated significant shortcomings in documentation of security\ncontrols at both application and Local Area Network (LAN)/facility level, as well as disaster\nrecovery procedures and contingency planning. Five production sites issued no response to our\nsurvey by either the LAN System Administrator (SA) or Information Security Officer (ISO) and,\ntherefore, we have no assurance that any of these five sites have proper controls. We consider the\nabsence of management-approved security plans for the SPEDI application and LANs to be a serious\ncontrol deficiency, because there is a high risk of potential loss or manipulation of critical\nprocurement data. Our survey revealed varied reasons for the inadequate amounts of security\ndocumentation and inconsistent implementation of security controls at the production SPEDI sites.\nFor example, Agency-wide security policy and guidance, implementing the most recent OMB\nCircular A-130, has not been finalized. In addition, personnel were unaware that there is interim\nEPA guidance to assist in the development of the required security documentation. There is also no\ncoordinated overall security documentation for the SPEDI application production sites.\nFurthermore, \xe2\x80\x98assessable unit\xe2\x80\x99 managers are confused about OMB Circular A-130 security plan\nrequirements and related requirements identified for OMB Circular A-123.\n\n\nPURPOSE\n\nAs part of the analysis of General Controls for the 1996 Audit of Financial Statements, we evaluated\nthe security controls for the Small Purchases Electronic Data Interchange (SPEDI). At the time of\nour evaluation, SPEDI was in production at thirteen sites. These sites include the 10 regions,\nHeadquarters and at two Contract Management Division sites [Cincinnati and Research Triangle\nPark (RTP)]. The focus of this audit was on the development and implementation of security policy\nand procedures for LANs that process the application SPEDI. We performed a more detailed audit\nof security implementation at the Headquarters SPEDI site. The detailed audit focused on the\npresence of logical and physical security controls for that particular site\n\n\n\n\n                                                 1\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\nBACKGROUND\n\nSPEDI is a part of the Integrated Contract Management System (ICMS) which electronically handles\nsmall purchases. SPEDI directly obtains information on commitments from the Integrated Financial\nManagement System (IFMS). The procurements or obligations it creates are entered manually into\nthe IFMS system, although this is scheduled to become an electronic interface in the future. In fiscal\n1996 SPEDI handled over $44 million in purchases. This figure will increase in future fiscal years\nas SPEDI is implemented at additional sites and as more vendors use electronic data interchange to\nconduct business. SPEDI is scheduled to be put into production at EPA laboratories in fiscal 1997.\n\nAs the number of production sites grow, the more significant SPEDI\xe2\x80\x99s role in EPA\xe2\x80\x99s procurement\nwill become. SPEDI is a client/server 1 application which is listed as a \xe2\x80\x98Major Regional or Program\nSystem (Level II)\xe2\x80\x99 in EPA\xe2\x80\x99s Information System Inventory. This designation reflects the increasing\nreliance of the Agency on LANs as a means of transmitting key information for conducting Agency\nbusiness. Although EPA has published LAN Directives and a LAN Operations and Procedures\n(LOPS) Manual, little audit work has been performed to verify the implementation of security for\nLANs and LAN-based applications.\n\n\nSCOPE AND METHODOLOGY\n\nWe surveyed thirteen sites where SPEDI was in production as of September 1996. This survey\nconsisted of a set of questions directed to the Information Security Officer (ISO) and to the LAN\nSystems Administrator(s) (SAs) at each site. Questions covered the following subjects:\ndocumentation of application and general support system security; implementation of logical and\nphysical security controls; monitoring and reporting security problems; virus protection; training;\nand any security or performance problems encountered.\n\nThe documentation requested in the survey included: 1) an Application Security Plan; 2) a LAN/\nFacility Security Plan and 3) a Disaster Recovery/Contingency Plan. Application Security Plans and\nDisaster Recovery/Contingency Plans were required prior to the OMB Circular A-130 revision in\nFebruary 1996. The LAN/Facility Security Plan was a new requirement in February 1996.\n\n\n       1\n                A decentralized application where locally centralized databases (server) are\naccessed by individual users via applications on their desktop PCs (client). A Local Area\nNetwork (LAN) connecting the PCs and Server provides access capability. These local databases\nmay, in turn, feed into and be refreshed from information maintained in a larger consolidated\ndatabase.\n\n                                                  2\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                   Security of SPEDI Local Area Networks (LANs)\n\n\nFurthermore, OMB Circular A-130 stated that the previous requirements remained in effect until\nNIST issues expanded security planning guidance for the Agency to use for the security plans. We\nwanted ISOs and LAN Managers to provide security documentation whether the old version or\ncurrent.\n\nWe also performed a detailed evaluation of the Headquarters SPEDI LAN located in the Fairchild\nBuilding in Washington, D.C. This evaluation was performed in two phases: 1) a walkthrough to\nobserve implementation of facility security; and 2) an analysis of the operating system (NETWARE)\nsecurity, as implemented on the SPEDI Headquarters server known as DCFC1. The LAN security\nmonitoring package entitled Omniguard/Enterprise System Manager (ESM), by AXENT\nTechnologies, was used to analyze the NETWARE operating system security. This monitoring\nsoftware has been tested by the Security Office of the Enterprise Technical Systems Division (ETSD)\nin Research Triangle Park, North Carolina. The criteria this software uses to evaluate NETWARE\nSecurity can be customized and, therefore, was set to reflect EPA Policy and Operational Directives.\nAdditionally, we risk-ranked controls identified by the ESM as \xe2\x80\x9chigh\xe2\x80\x9d, \xe2\x80\x9cmoderate\xe2\x80\x9d or \xe2\x80\x9clow\xe2\x80\x9d2. We\nbased these rankings on: 1) scores provided by ESM using thresholds based on EPA security\ndirectives; 2) information of facility security at the Headquarters location; and 3) information gained\nfrom analyzing more detailed ESM reports.\n\nThe field work was performed from September 1996 through March 1997. All work was performed\nin Washington, D.C. We conducted this audit in accordance with Government Auditing Standards\n(1994 revision) issued by the Comptroller General of the United States. Our audit included tests of\nmanagement and related internal controls, policies, standards, and procedures specifically related\nto the audit objectives. Because this audit disclosed Agency-level weaknesses related to EPA\xe2\x80\x99s IRM\nProgram, we also reviewed the OMB Circular A-123 evaluation process to determine why these\nweaknesses were not identified internally (see page 7). No other issues came to our attention which\nwe believed were significant enough to warrant expanding the scope of the audit.\n\n\n\n\n       2\n                High risk indicates a condition or control weakness which creates strong potential\nthat disruptive intrusion could occur and even go undetected for some time; Moderate risk\nindicates that a compensating control has reduced the likelihood of intrusion or disruptive\nactivity that such a condition or weakness could allow; Low risk means that all controls are in\naccordance with requirements and that there are no conditions which add risk to the facility or\napplications.\n\n                                                  3\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                 Security of SPEDI Local Area Networks (LANs)\n\n\nINFORMATION SECURITY REQUIREMENTS AND GUIDANCE\n\nThe responsibilities for information security at EPA are decentralized. The Office of Information\nResources Management (OIRM) develops and defines the information security for the Agency.\nThey disseminate the policies and provide some security training. However, each site with a LAN,\nwhether it be a region, laboratory or program office must designate an ISO to be responsible for the\noverall security of the ADP facilities and applications processed there. In addition, for each LAN\nthere should be a properly trained LAN Systems Administrator (SA) who is responsible for day to\nday implementation, maintenance, and monitoring of security for the LAN(s) they administer.\n\nOffice of Management and Budget (OMB) Circular A-130 is entitled \xe2\x80\x9cManagement of Federal\nInformation Resources.\xe2\x80\x9d Appendix III of this circular is entitled \xe2\x80\x9cSecurity of Federal Automated\nInformation Systems.\xe2\x80\x9d This appendix details the required policy and guidance agencies must provide\nto ensure that automated systems have adequate security programs and documentation.\n\nIt establishes a minimum set of controls to be included in Federal automated information security\nprograms; assigns Federal agency responsibilities for the security of automated information; and\nlinks agency automated information security programs and agency management control systems\nestablished in accordance with OMB Circular A-123. The Appendix revises procedures formerly\ncontained in Appendix III to OMB Circular A-130 (50 FR 52730; December 24, 1985), and also\nincorporates requirements of the Computer Security Act of 1987 (P.L.100-235) and responsibilities\nassigned in applicable national security directives.\n\nOMB Circular OMB Circular A-123 requires agencies to provide a feedback and reporting procedure\nto evaluate the integrity of Federal Programs for which they are responsible. This includes the\nmanagement of its information resources. This circular specifically lists \xe2\x80\x9cReviews of systems and\napplications conducted pursuant to the Computer Security Act of 1987 (40 U.S.C. 759 note) and\nOMB Circular A-130, "Management of Federal Information Resources" as information sources to\nbe used in assessing and improving management controls OMB Circular A-123 also states that \xe2\x80\x9cthe\ndocumentation for transactions, management controls, and other significant events must be clear and\nreadily available for examination\xe2\x80\x9d.\n\nEPA Directive 2100 - Information Policy Manual, Chapter 8, contains Agency security requirements\npolicy. It iterates that EPA considers all of its information to be sensitive and that OMB Circular\nA-130 requirements for evaluating security controls should be followed. It also assigns\nresponsibility for many related functions. EPA\xe2\x80\x99s Information Security Program is OIRM\xe2\x80\x99s\nresponsibility while \xe2\x80\x9cPrimary Organization Heads\xe2\x80\x9d are required to provide annual assurances that\ninformation resources are adequately protected using the OMB Circular A-123 process. It is this\ndirective which specifies that: \xe2\x80\x9cSenior Information Resource Management Officials (SIRMO) are\n\n                                                 4\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                 Security of SPEDI Local Area Networks (LANs)\n\n\nresponsible for approving information security plans and certifying sensitive systems within their\nprimary organizations;\xe2\x80\x9d and \xe2\x80\x9cInformation Security Officers (ISO) are responsible for ensuring that\ncomprehensive information security programs are in place for installations within their\norganizations.\xe2\x80\x9d Guidance for implementation of these requirements is found in EPA\xe2\x80\x99s Information\nSecurity Manual (ISM) (Directive 2195) which has been undergoing revision.\n\nAppendix A of EPA\xe2\x80\x99s Information Security Manual (ISM) dated October 23, 1995 was used for the\ndevelopment of the technical portion of EPA\xe2\x80\x99s Application Security Plan. The ISM complies with\nthe guidance in OMB 90-08 and can be used. OMB Circular A-130, dated February 1996, states that\nuntil NIST publishes a new Federal Information Processing Standards (FIPS) on Security Plans, the\nappendix of OMB Bulletin 90-08 can be used as guidance for Application Security Plans. EPA\xe2\x80\x99s\nISM is currently being updated to comply with the latest OMB Circular A-130 Appendix III. In the\ninterim, the Chief Information Officer issued a memorandum summarizing the changes in the new\nAppendix III. That memorandum, dated April 3, 1996, stated that the ISM was being revised to\ncomply with the new OMB requirements. Further, the new Agency guidance will require a\nconsolidated document (i.e., a major application or general support system security plan) which will\ncombine facility security, disaster recovery, along with application security. In response to our\nconcerns, on February 21, 1997, EPA\xe2\x80\x99s National Program Manager for Information Security issued\na draft NIST guide, User Guide for Developing and Evaluating Security Plans for Unclassified\nFederal Automated Information Systems as interim EPA guidance to the ISOs.\n\nEPA\xe2\x80\x99s Management Integrity Guidance provides guidance and assigns responsibility for the Agency\nOMB Circular A-123 process. However, this guidance and Directive 2560 are out of date, because\nthey both predate the latest OMB Circulars A-123 and A-130.\n\nEPA Enterprise Technology Services Division (ETSD) Directives 310.01 through 310.13 and the\nLAN Operations Procedures (LOPS) Manual contain operational guidance and procedures regarding\nLAN standards. These sources contain chapters on LAN security.\n\n\n\n\n                                                 5\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                 Security of SPEDI Local Area Networks (LANs)\n\n\nSECURITY CONTROLS AT SMALL PURCHASE ELECTRONIC                                              DATA\nINTERCHANGE (SPEDI) PRODUCTION SITES NEED IMPROVEMENT\n\nSurvey results revealed that security controls need improvement at all of the responding production\nSPEDI sites. The survey also indicates significant shortcomings in documentation of security\ncontrols at both application and LAN/facility level, as well as disaster recovery procedures and\ncontingency planning. According to the survey, there is confusion concerning the need for security\ncontrols, security documentation, and the overall risk associated with SPEDI application. Five\nproduction sites issued no response to our survey by either the LAN SA or the ISO. Therefore, there\nis no assurance any of these five sites have designated the required security personnel; implemented\nadequate security measures; or produced security documentation required by OMB and the Agency.\nWe also determined that information system security and security documentation were not being\nassessed as part of the Agency\xe2\x80\x99s OMB Circular A-123 process. Improvements were noted in\nimplementation of security controls at the Headquarters site.\n\nInadequate Security Implementation At SPEDI Production Sites\n\nNone of the thirteen sites surveyed provided security documentation required for reasonable\nassurance that general controls are operating properly for the SPEDI application, in compliance with\nOMB and Agency requirements. Despite multiple requests3, five production SPEDI sites did not\nrespond to the survey. Therefore, there is no assurance that anyone is maintaining LAN or facility\nsecurity at these sites.\n\n       1. Of the 13 sites surveyed, only 3 responded that there was a Security Plan for the SPEDI\n       LAN, either in draft form or incorporated in the region\xe2\x80\x99s security plan. Of these positive\n       responses, an actual copy was provided by only one site. Five other sites responded with a\n       list of some security measures taken, but did not have either a LAN Support Security Plan\n       or a Security Section of a General Support System Security Plan..\n\n       2. Of the 13 sites surveyed, none were able to provide a copy of an Application Security\n       Plan. A copy of a draft Security Plan for SPEDI has since been received under separate\n       cover. Two sites responded that a draft security plan for the SPEDI application, as a whole,\n       was being created by the ICMS development team. Five other sites responded with reasons\n       why there was no such a plan.\n\n\n\n\n       3\n               Requests made on October 15 and November 4, 1996.\n\n                                                 6\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                 Security of SPEDI Local Area Networks (LANs)\n\n\n       3. Of the 13 sites surveyed, two sent Disaster Recovery Plans. Out of the remaining 11 sites,\n       six responded that backups were being taken and being stored in a different location.\n\nAs part of the survey, we requested copies of the following three security documents for each site:\n1) a Security Plan for the SPEDI LAN as required by OMB Circular A-130, and expanded by OMB\nBulletin 90-08 and EPA\xe2\x80\x99s Information Security Manual (ISM); 2) an Application Security Plan for\nSPEDI, as required in OMB Circular A-130; and 3) a Disaster Recovery Plan for the SPEDI\napplication, as detailed in OMB Bulletin 90-08 and EPA\xe2\x80\x99s ISM. The requested documents would\nsatisfy either the previous or the February 1996 security control requirements. OMB Circular A-\n130 currently requires a Major Application Security Plan and a General Support System Security\nPlan for the application. The General Support System Plan should contain several components\nincluding a LAN Security Plan and Disaster Recovery Plan for the site processing the SPEDI\napplication.\n\nWe received eight responses to this survey. Among the eight responding sites, there was reasonable\nassurance that some of the EPA required logical security was implemented via NetWare, but there\nwere inconsistencies between individual sites. Although each of the eight responding sites\nperformed security monitoring, the type of monitoring and the maintenance of monitoring reports\nor records was also inconsistent. All eight sites responded that they had adequate virus protection\nsoftware and performed full and incremental backups.\n\nOMB Circular A-123 Process Is Not Reporting Security Weaknesses\n\nThe OMB Circular A-123 Assurance Letters are not reporting incomplete security documentation\nor other security shortcomings which are security weaknesses. We reviewed six of the ten regional\nfiscal 1996 OMB Circular A-123 Assurance Letters, as well as the Assurance Letter issued by the\nOffice of Administration and Resources Management (OARM). None of these letters reported\nincomplete security documentation as a control weakness, for either SPEDI or the regional sites.\nOMB Circular A-130 requires that management approve security plans at least every three years\nthrough the OMB Circular A-123 process. OMB Circular A-130 also specifies that security control\nweaknesses be reported as part of the Agency\xe2\x80\x99s OMB Circular A-123 annual review process.\nEPA\xe2\x80\x99s Information Security Program is relying on the managers of the individual sites and program\noffices to implement these Federal security requirements or to report information security\nweaknesses as part of OMB Circular A-123 process.\n\n\n\n\n                                                7\n\n                                                 Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\nCorrective Actions And Compensating Controls Lower Risk At Headquarters Site\n\nOur first test and analysis of logical security implementation at Headquarters SPEDI LAN (executed\non 11-20-96) identified five \xe2\x80\x98high risk\xe2\x80\x99 conditions that severely downgraded or negated operating\nsystem security controls:\n\n1.     The number of accounts having the equivalence of \xe2\x80\x98supervisor\xe2\x80\x994 exceeded the number\n       allowed in EPA policy;\n2.     Several of these \xe2\x80\x98supervisory\xe2\x80\x99 accounts were inactive which increases the associated risk of\n       misuse;\n3.     Agency-mandated password controls were negated by incorrect implementation of certain\n       password features;\n4.     Some accounts allowed unlimited concurrent logins which greatly increases risk of\n       undetected intrusion; and\n5.     Many powerful system files were duplicated.\n\nIn addition, our analysis identified the following six conditions as \xe2\x80\x98moderate\xe2\x80\x99 risk:\n\n1.     DCFC1\'s AUTOEXEC.NCF file did not remove the DOS operating system from the\n       computer console or lock the console keyboard access5;\n2.     Improper implementation of operating system intruder detection parameters;\n3.     Required password length was too short on some accounts;\n4.     Some accounts were not required to change passwords frequently enough;\n5.     Some accounts were allowed more than one concurrent login; and\n6.     Some accounts did not have the ability to change passwords.\n\nResults of a second test (executed on 12-20-96) of the Headquarter\xe2\x80\x99s server revealed complete\ncorrections to or significant improvements upon several conditions which had been designated as\n\xe2\x80\x98high risk\xe2\x80\x99 as a result of the first test. A walkthrough of the SPEDI LAN site at Headquarters also\nrevealed that good physical security controls were in effect.\n\n\n\n       4\n              Supervisor equivalence is assigned to a user account by the account\nSUPERVISOR. It has the same access rights as the original SUPERVISOR, which means that it\ncan do anything to any file regardless of its contents or origin.\n       5\n             This was initially downgraded from \xe2\x80\x9chigh\xe2\x80\x9d to \xe2\x80\x9c moderate\xe2\x80\x9d risk because\ncompensating controls limited physical access to the server.\n\n                                                 8\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                    Security of SPEDI Local Area Networks (LANs)\n\n\nCorrective actions and/or compensating controls scheduled or implemented will significantly reduce\nthe level of risk to SPEDI at Headquarters. The level of risk has been reduced to a \xe2\x80\x9cmoderate risk\xe2\x80\x9d\nin all but one instance. Duplicate files have been scheduled to be cleaned up and ESM monitoring\nsoftware is scheduled to be installed on the server. The other high and moderate risk conditions have\nbeen corrected or addressed by a compensating control. However, the number of accounts with\n\xe2\x80\x9csupervisory\xe2\x80\x9d security equivalence are still not reduced to the level required by EPA policy. The\nnumber of such accounts was reduced to 8 but the Agency (LOPs and Directive 310.09) required\nlimit is 3.\n\n\nLACK OF APPROVED SECURITY PLANS CONSTITUTES CONTROL WEAKNESS\n\nWe consider the absence of management approved security plans for the SPEDI application and\nLANs to be a serious control deficiency, because there is a high risk of potential loss or manipulation\nof critical procurement data. The Agency also identifies it as a major system. The Information\nSystems Inventory (ISI) describes SPEDI as a Level II Information System, and this indicates that\nit is considered to be critical to each of the particular regions or contract management sites it serves.\nAlthough these sites are not in compliance with OMB Circular A-130 and Agency IRM security\ndirectives, the \xe2\x80\x98assessable unit\xe2\x80\x99 manager has not identified this as a serious internal control\nweakness. Therefore, top management was not reporting or initiating corrective actions through the\nAgency\xe2\x80\x99s OMB Circular A-123 process.\n\nThe risk of disruption to SPEDI processing and loss of integrity of its data is increased due to\nsecurity control weaknesses. Incomplete Security and Disaster Recovery provisions increase\nlikelihood of exposure6 of SPEDI LANs and the SPEDI application to an undesirable result. This\ncould create disruption in service or loss of data integrity. Loss of data integrity could also hamper\nEPA\xe2\x80\x99s ability to process payments for procurements. In fiscal 1996 SPEDI processed $44 million\nof Agency procurements.\n\n\nSECURITY FOR SPEDI NEEDS INCREASED ATTENTION AT MANY LEVELS\n\nOur survey revealed varied reasons for the inadequate amounts of security documentation and\ninconsistent implementation of security controls at the production SPEDI sites. Personnel at these\n\n\n        6\n               An exposure is the probable result (such as logical or physical changes to\nprocessing programs or data which could render the application and/or the data it processes\ninaccurate or unavailable) of the occurrence of an adverse event.\n\n                                                   9\n\n                                                    Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\nsites were confused about EPA guidance to assist in the development of the required security\ndocumentation. There is also no coordinated overall security documentation for the SPEDI\napplication for its production sites. Further, the survey indicated security personnel are confused\nabout their responsibilities. In addition, not all ISOs from these sites have attended an EPA Security\nConference which addressed the latest OMB and EPA guidance. Lastly, inadequate security\ndocumentation is not reported because the June 1994 Agency guidance, under the current OMB\nCircular OMB Circular A-123, allows Management to decide what to report.\n\nAgency Policy Needs Updating\n\nAgency-wide security policy and guidance, implementing the most recent OMB Circular A-130,\nhave not been finalized. EPA management has taken a number of initial steps to publicize the latest\nchanges to OMB Circular A-130. In April 1996, EPA management provided an Agency-wide\nsecurity update summarizing Appendix III of the revised OMB Circular A-130. OIRM management\nalso provided Agency-wide guidance for Rules of Behavior in June 1996. Management officials\nindicated that EPA has not updated guidance on System Security Plans because it is waiting for the\nNational Institute of Standards and Technology (NIST) to issue revised security planning guidance\nas called for in the revised A-130, Appendix III. EPA\xe2\x80\x99s National Information Security Program\nManager is currently revising EPA\xe2\x80\x99s guidance using the most recent draft of NIST\xe2\x80\x99s Federal\nguidelines for the development and evaluation of security plans, per the revised Appendix III. In\nFebruary 1997, the Program Manager for Information Security provided copies of the Draft \xe2\x80\x9cUser\nGuide for Developing and Evaluating Security Plans for Unclassified Federal Information Systems\xe2\x80\x9d\nto the ISOs. This provides interim Agency guidance based on current OMB Circular A-130\nrequirements.\n\nAt the time of our field work, there was no official SPEDI-specific guidance provided for the ISOs\nor LAN SAs at each site. There is a draft Integrated Contract Management System (ICMS) System\nSecurity Plan and Risk Assessment which covers SPEDI, but it has not yet been distributed to the\nproduction SPEDI sites. OAM management stated that the ICMS draft Security Plan and Risk\nAssessment includes: 1) an Application Security Plan; 2) a Security Plan for the SPEDI LANs; and\n3) guidance for Disaster Recovery Plans at SPEDI sites. OAM management stated that these\ndocuments will also provide the guidance necessary for individual SPEDI sites to develop their own\nFacility and Disaster Recovery Plans. This is in keeping with the new OMB Circular A-130\nrequirements. These documents are being reviewed by the OARM Senior Information Resource\nManagement Officer (SIRMO).\n\n\n\n\n                                                 10\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\nMore Training Needed For ISOs And Other Security Personnel\n\nNot all ISOs have received security training. EPA management conducted a security conference in\nAugust 1996. Attendees were provided with security training and guidance on Agency security\ndocumentation. In addition, in March 1997, OIRM conducted an ISO Forum to address similar\nsecurity issues. However, not all ISOs were in attendance at these conferences. OMB Circular A-\n130 and EPA\xe2\x80\x99s ISM both require training for all employees based on their functions. They also\nrequire that ISOs be designated in writing. The non-responses to the survey provide no assurance\nthat all production SPEDI sites have a properly designated ISO.\n\nThe survey indicated that personnel incorrectly believe: 1) SPEDI is a low risk system;\n2) implementation of some security controls meets the requirement for security documentation; and\n3) that SPEDI is not yet a production system. Few users and a low volume of transactions were\nconditions associated with low risk by respondents at some of the sites. In our opinion, SPEDI is\na high risk system because: 1) it was used for authorization of approximately $44 million of\npurchases in fiscal year 1996 and will handle more in future fiscal years; 2) it is part of the\nIntegrated Contract Management System; and 3) it is a manual feeder system for the Integrated\nFinancial Management System. Therefore, it is necessary that adequate controls be in place to\nprotect the integrity of SPEDI and its data. The responses of those sites viewing SPEDI as low risk\nindicate need for additional guidance or training to: 1) explain the potential for risk to appropriate\npersonnel; and 2) require a more formal approach by developing a security plan and disaster recovery\nplan.\n\nAgency OMB Circular A-123 Process Needs To Incorporate A-130 Requirements\n\nOur audit noted that EPA\xe2\x80\x99s Resources Management Directive 2560, Internal Controls, dated June\n12, 1987, is outdated and does not address the new requirements added by OMB Circular A-130 in\nFebruary 1996. An Agency official stated that they are in the process of revising Directive 2560, but\nthat completion is pending a reorganization of the Resource Management Division (RMD). RMD\nalso indicated that the National Information Security Program Manager (i.e., OIRM) needed to\nprovide assessment guidelines. EPA issued interim OMB Circular A-123 guidance under a\nmemorandum entitled Management Integrity Guidance, dated June 1994. The interim guidance\ninterprets OMB Circular A-123 as requiring a decentralized approach to reporting integrity\nweaknesses. Therefore, the OMB Circular A-123 process relies on the management of each\n\xe2\x80\x98assessable unit\xe2\x80\x99 to determine the integrity requirements of their programs within approved OMB\nand Agency guidance. The Assistant Administrators (AAs) and Regional Administrators (RAs) are\nalso responsible for addressing OMB Circular A-130, OMB Circular A-123 and EPA\xe2\x80\x99s Management\n\n\n\n                                                 11\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\nIntegrity Guidance. Agency Directive 2100 Chapter 8 assigns Information Security requirements\nto SIRMOs and ISOs, which are under the AAs and RAs.\n\nWhereas \xe2\x80\x98assessable unit\xe2\x80\x99 managers should incorporate the Agency security requirements into their\nrespective OMB Circular A-123 program reviews, our survey results indicated that the \xe2\x80\x98assessable\nunit\xe2\x80\x99 managers are confused about OMB Circular A-130 security plan requirements and related\nrequirements identified for OMB Circular A-123. As a result, they are not identifying or reporting\nAgency security control weaknesses as part of the OMB Circular A-123 process.\n\nIn response to our interim comments, in February 1997, the National Information Program Manager\nsent a memorandum to the ISOs mentioning the need to evaluate information security as part of the\nOMB Circular A-123 process. This memorandum also requested information regarding the status\nof security plans for their applications or general support systems. A draft of \xe2\x80\x9cUser Guidance for\nDeveloping and Evaluating Security Plans for Unclassified Federal Information Systems\xe2\x80\x9d was\nprovided to assist the ISOs. The Information Resources Management Security Program has not\nestablished a separate feedback mechanism to ensure accountability regarding the status of Agency\nsecurity plans because it relies on \xe2\x80\x98assessable unit\xe2\x80\x99 managers to identify and report Agency security\ncontrol weaknesses under the OMB Circular A-123 process. EPA Directive 2100 states that the\nPrimary Organization Heads should utilize the OMB Circular A-123 process to provide assurance\non the information resources within their organization. Therefore, OIRM is dependent on the OMB\nCircular A-123 process to provide feedback on problems with Agency security plans.\n\nLAN Consolidation Procedures Need Clarification\n\nThere are several reasons why proper security controls were not in place when we first tested the\nSPEDI LAN at Headquarters. The controls were not correctly established because the LAN SAs had\nnot developed a security plan based on both EPA policy and SPEDI requirements. Subsequent to\nour field work, the ISO provided us a draft security plan for the Fairchild Consolidated Local Area\nNetwork. Also, prior to our evaluation, there was no monitoring software installed on the server\n(such as ESM), and NETWARE auditing features were not activated which could identify security\nsettings. Management officials at Headquarters stated that they plan to obtain ESM software to\nmonitor the LAN logical security controls. Management officials raised some additional, ongoing\ndifficulties in establishing controls:\n\nC      Restricting users with supervisory\\ access is difficult because our audit was performed after\n       an Agency-mandated LAN consolidation which resulted in the server being shared with two\n       other offices (Office of Grants and Debarment, Financial Management Division);\n\n\n\n                                                 12\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                Security of SPEDI Local Area Networks (LANs)\n\n\nC      As part of a server migration, many of the accounts on DCFC1 were copied from one server\n       to the other without cleaning them up. This resulted in duplicate accounts or accounts with\n       excessive privileges; and\nC      Ongoing software upgrades create many duplicate files.\n\nOur audit of ETSD\xe2\x80\x99s Operational Directives 310.01 to 310.13 and LOPS Manual identified no\nestablished Agency guidance for LAN server sharing across multiple organizations.\n\n\nRECOMMENDATIONS\n\n1. We recommend that the Director for Information Resources Management finalize and implement\nAgency policies and guidance to assist \xe2\x80\x98assessable unit managers,\xe2\x80\x99 SIRMOs, and ISOs in the\ncompletion, establishment, and assessment of Application and General Support System Security\nplans, as required by OMB for fiscal 1997. We also recommend that continued training be provided\nto these personnel to better ensure completion of the Security Plans and their assessments.\n\n2. We recommend that the Director for Planning, Analysis, and Accountability update Agency\nIntegrity Guidance to comply with OMB Circular A-123, dated June 1995.\n\n3. We recommend that the Director for Acquisition Management direct:\n\n       a. The Program Manager, Integrated Contract Management System within Headquarters\n       Procurement Operations Division to:\n\n              (1) Coordinate with appropriate SPEDI ISOs the completion and approval of SPEDI\n              (ICMS) Application and General Support System Security plans.\n\n              (2) Provide all production SPEDI sites interim guidance for developing a local\n              Application Security Plan.\n\n       b. The SPEDI LAN System Administrator for Policy, Training, and Oversight Division\xe2\x80\x99s\n       System and Information Management Branch to:\n\n              (1) Complete planned corrective actions to eliminate duplicate files.\n\n              (2) Obtain and install ESM software on the Fairchild Consolidated Local Area\n              Network and monitor operational controls.\n\n\n                                               13\n\n                                                Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\n       c. The ISO for Policy, Training, and Oversight Division\xe2\x80\x99s System and Information\n       Management Branch to:\n\n               (1) Finalize the draft security plan for the Fairchild Consolidated Local Area\n               Network.\n\n               (2) Obtain official guidance from EPA\xe2\x80\x99s National Information Security Program\n               Manager regarding the number of supervisory accounts allowed when sharing a\n               server, and implement the guidance into security maintenance and ESM monitoring\n               practices.\n\n\nAGENCY RESPONSE AND OIG EVALUATION\n\nIn summary, the Agency agreed with six of the eight recommendations in our draft report, partially\nagreed with one recommendation, and disagreed with one recommendation by asserting that\ncorrective action had been sufficiently addressed through another program office\xe2\x80\x99s recent actions.\nTo date, the Agency has taken a number of positive actions to correct the deficiencies. The report\nfindings were directed to three distinct action officials and, therefore, we addressed their responses\nindividually as follows:\n\nIn responding to the draft report, the Director for Information Resources Management agreed with\nrecommendation 1 and provided details on planned and initiated corrective actions. OIRM is\ncontinuing to revise existing Agency policy and guidelines and recently developed new guidance for\nsecurity plan development. On July 1, 1997, EPA\xe2\x80\x99s National Program Manager for Information\nSecurity distributed EPA Information Security Planning Guidance (dated June 17, 1997) to all ISOs.\nIn addition, OIRM conducted training sessions for ISOs and SIRMOs, and consultation services are\navailable to organizations in Headquarters and the Regions.\n\nOIRM\xe2\x80\x99s response also indicates that ISOs will be responsible for providing SIRMOs with sufficient\ninformation to determine the adequacy of information security practices for systems under their\npurview. The response clearly states OIRM\xe2\x80\x99s dependence on the network of ISOs for awareness of\nand compliance with OMB A-130 requirements on Information Security Plans. In addition, the CIO\nrecently issued a memorandum to EPA\xe2\x80\x99s Senior Resource Officials reiterating the need to review\nmanagement controls pertaining to the security of Agency information as part of the on-going\nIntegrity Act process.\n\n\n\n\n                                                 14\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                   Security of SPEDI Local Area Networks (LANs)\n\n\nIn response to recommendation 2, the Acting Deputy Director for Planning, Analysis, and\nAccountability (OPAA) stated that this recommendation should be redirected to the Chief\nInformation Officer (CIO) and asserted that recent CIO actions had satisfied the OIG\xe2\x80\x99s\nrecommendation. We agree that the CIO\xe2\x80\x99s memorandum to EPA\xe2\x80\x99s Senior Resource Officials\n(SROs) and the Chief Financial Officer (CFO) partially addresses recommendation 2. The OIG\nrecognizes that the actions of the CIO and OARM are two positive steps toward identifying\nInformation Security as a potential control weakness and thereby raising the level of attention in the\nAgency as a critical internal control. However, these actions do not alleviate OPAA of responsibility\nfor updating Agency-wide guidance and policies for the Management Integrity Program. Although\nindividual Regional Administrators and Assistant Administrators may be responsible for interpreting\nhow integrity guidance applies to their programs, outdated Agency guidance and policies should be\nupdated to implement current OMB A-123 (June 1995) requirements.\n\nThe current OMB Circular A-123 promotes the integration of efforts to meet the requirements of\nthe Integrity Act with other efforts to improve effectiveness and accountability. It recognizes the\njudgement of managers as a key component in assessing controls for their respective program(s).\nHowever, OMB Circular A-123 specifically states that \xe2\x80\x98other policy documents may describe\nadditional specific standards for particular functional or program activites\xe2\x80\x99. It also states that\n\xe2\x80\x98agencies need to plan for how the requirements of this Circular (A-123) will be implemented\xe2\x80\x99. It\ngoes on to say that \xe2\x80\x98a written strategy for internal agency use may help ensure that appropriate action\nis taken throughout the year to meet the objectives of the Integrity Act\xe2\x80\x99 and that \xe2\x80\x98absence of such a\nstrategy may itself be a serious management control deficiency\xe2\x80\x99. OIG believes that not having\ncurrent integrity guidance and policies for EPA constitutes a serious management control deficiency.\nThis situation increases the likelihood that the requirements of the Integrity Act will be misconstrued\nor ignored altogether. We believe that the Integrity Act\xe2\x80\x99s attempt to reduce unnecessary control\nprocesses or reporting requirements should not be interpreted by OPAA (or EPA) as a reduction or\nelimination of any General or Specific management control standards identified in other OMB\nCirculars. Until the existing EPA Integrity Act policy and guidance is updated, the OIG will\nrecommend through the Integrity Act process that the lack of current policy and guidance be reported\nas a serious internal control deficiency. We revised recommendation 2 accordingly.\n\nIn their draft response to recommendation 3, the Director for Acquisition Management agreed with\nthe primary findings regarding the improvement of security control at all of the production SPEDI\nsites and that documentation of security controls at both the application and LAN/facility level need\nto be developed.\n\nIn particular, OAM management described their plans to implement recommendation 3a.(1) and\nstated that they plan on using the draft guidance User Guide for Developing and Evaluating Security\n\n\n                                                  15\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                  Security of SPEDI Local Area Networks (LANs)\n\n\nPlans for Unclassified Federal Automated Information Systems in developing an Application\nSecurity Plan for the Integrated Contracts Management System (ICMS) family of applications, which\nincludes SPEDI. A draft ICMS Application Security Plan is scheduled for completion no later than\nAugust 31, 1997, and OAM anticipates finalizing this plan by November 30, 1997. In addition, a\ndraft General Support System Security Plan for the platform on which these applications operate has\nbeen submitted. Rather than expending effort on finalizing this plan for the short time that OAM\nwill remain in the Fairchild Building, OAM management will continue working with the Office of\nInformation Resources Management (OIRM) on a General Support System Security Plan for their\nnew location, the Ronald Reagan Building.\n\nIn their draft response to recommendation 3.a(2), OAM stated that as sections of the ICMS\nApplication Security Plan are developed, they will be distributed as interim guidance to the SPEDI\noperations sites for comments. OAM contended that because the same versions of the ICMS\napplications are used throughout the Agency, only one Application Security Plan would be\nnecessary. However, they added that individual sites will be encouraged to incorporate appropriate\nsections of that plan into the local site\xe2\x80\x99s General Support System Security Plan. The ICMS\nApplication Security Plan will include Disaster Recovery and Contingency Plans for the ICMS and\nSPEDI platforms and consolidated databases at Headquarters. The remote sites will be encouraged\nto prepare or verify the existence of local Disaster Recovery and Contingency Plans that include\nprovisions for the ICMS applications.\n\nIn addition, OAM stated that the duplicate files had been eliminated and they had attempted to install\nthe current version of Axent\xe2\x80\x99s OMNIGUARD Enterprise Security Manager Software on the\nFairchild Consolidated LAN. These two corrective actions were initiated in response to\nrecommendations 3.b(1) and (2).\n\nOAM is currently developing a General Support System Security Plan for the Ronald Reagan\nBuilding. This plan will cover the ICMS applications and all other applications to be operated on\nthe consolidated LAN. This action was initiated in response to recommendation 3.c(1). In response\nto recommendation 3.c(2), OAM also received guidance from the National Information Security\nProgram Manager on how to establish and justify the number of supervisory accounts required to\nmanage the Fairchild Consolidated LAN.\n\nWhile OAM\xe2\x80\x99s response identified many planned and initiated corrective actions, we note that these\nactions are not yet fully complete. Therefore, these recommendation will remain as stated in the\ndraft report. We made some editorial changes to the final report in response to OAM comments.\nHowever, we cannot justifiably delete statements equating absent survey responses to a lack of\nproper controls at the non-responding sites. We twice distributed our survey through the ICMS\nprogram manager to those sites where SPEDI was in production at that time. As five of these sites\n\n                                                 16\n\n                                                   Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                                 Security of SPEDI Local Area Networks (LANs)\n\n\nwere non-responsive to both survey requests, no evidence was offered as to the existence of any\nlogical or physical controls at the sites. Likewise, we do not find it necessary to make changes\nconcerning training because training provided by OIRM is detailed both in the text of the report and\nearlier in the section for Agency response and OIG evaluation.\n\n\n\n\n                                                17\n\n                                                  Audit Report No. E1AMR7-15-7012-7100307\n\x0c                Security of SPEDI Local Area Networks (LANs)\n\n\n\n\nTHIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                18\n\n                 Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                               Security of SPEDI Local Area Networks (LANs)\n\n\n                                                                                APPENDIX I\n                                                                                Page 1 of 2\n\n                                 REPORT DISTRIBUTION\n\nOffice of Inspector General\n\n       Acting Inspector General (2410)\n\n       Assistant Inspector General for Audit (2421)\n\n       Principal Deputy Assistant Inspector General for Audit (2421)\n\n       Deputy Assistant Inspector General for Internal Audits (2421)\n\n       Deputy Assistant Inspector General for External Audits (2421)\n\n       Director, Financial Audit Division (2422)\n\nEPA Headquarters\n\n       Acting Director, Office of Information Resources Management (3401)\n\n       Director, Office of Acquisition Management (3801F)\n\n       Acting Deputy Director, Office of Planning, Analysis and Accountability (2721)\n\n       Chief Information Officer (3101)\n\n       Director, Information Resources Management Planning Division (3402)\n\n       Agency Audit Followup Official (3101)\n        Attn: Assistant Administrator for Administration and Resources Management\n\n       Agency Audit Followup Coordinator (2710)\n        Attn: Audit Management Team\n\n       National Program Manager for Information Security (3402)\n\n\n                                              19\n\n                                               Audit Report No. E1AMR7-15-7012-7100307\n\x0c                                               Security of SPEDI Local Area Networks (LANs)\n\n\n                                                                              APPENDIX I\n                                                                              Page 2 of 2\n\n\n       Special Assistant, Office of Acquisition Management (3801F)\n\n       Audit Liaison (3102)\n         Attn: Office of Policy and Resource Management\n\n       Audit Liaison (3802F)\n         Attn: Office of Acquisition Management\n\n       Audit Liaison (3401)\n        Attn: IRM Policy and Evaluation Division\n\n       Audit Liaison (2721)\n        Attn: Office of Planning, Analysis and Accountability\n\n       Program Manager for Integrity (2721)\n        Attn: Office of Planning, Analysis and Accountability\n\n       Program Manager, Integrated Contract Management System (3801)\n\n       Information Security Officer\n        Attn: Policy, Training, and Oversight Division (3802F)\n\n       LAN Systems Administrator (3802F)\n        Attn: Policy, Training, and Oversight Division\n\n       Systems Accountant, Office of the Comptroller (3304)\n\nResearch Triangle Park, North Carolina\n\n       Security Officer, Enterprise Technology Services Division (MD-34)\n\n\n\n\n                                             20\n\n                                               Audit Report No. E1AMR7-15-7012-7100307\n\x0c'